I'm new to Thymeleaf, but worked with JSPs before, so that should be the same principle I would have thought.
Anyhow... I'm trying to put together the following Spring security tutorial https://spring.io/guides/gs/securing-web/.
It uses Thymeleaf for the frontend page rendering, and the following Login page does not play ball:
<!DOCTYPE html>
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:th="https://www.thymeleaf.org"
xmlns:sec="https://www.thymeleaf.org/thymeleaf-extras-springsecurity4">
<head>
<title>Spring Security Example </title>
</head>
<body>
<div th:if="${param.error}">
Invalid username and password.
</div>
<form th:action="#{/login.html}" method="post">
<div><label> User Name : <input type="text" name="username"/> </label></div>
<div><label> Password: <input type="password" name="password"/> </label></div>
<div><input type="submit" value="Sign In"/></div>
</form>
</body>
</body>
</html>
Then, I have the following Spring security configuration class:
#Configuration
#EnableWebSecurity
public class WebSecurityConfig extends WebSecurityConfigurerAdapter {
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/", "/home", "/greeting").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.defaultSuccessUrl("/homepage.html", true)
.failureUrl("/login.html?error=true")
.permitAll()
.and()
.logout()
.permitAll();
}
#Bean
#Override
public UserDetailsService userDetailsService() {
UserDetails user =
User.withDefaultPasswordEncoder()
.username("user")
.password("password")
.roles("USER")
.build();
return new InMemoryUserDetailsManager(user);
}
}
The page with the form displays just fine, but when I provide the above credentials (user/password), it does not log the user in. It basically gets stuck in a loop demanding to login; there is a homepage.html, but it's never redirected to.
There is nothing in the logs, no errors or any messages.
Trying to debug it, I've added the following controller:
#Controller
#Slf4j
public class GreetingController {
#PostMapping("/login")
public String greeting(#RequestParam(name = "username", value = "xxx") String username, #RequestParam(name = "password", value = "yyy") String password, Model model) {
log.info("U " + username + " P " + password);
model.addAttribute("username", username);
model.addAttribute("password", password);
return "login";
}
}
but when trying to invoke http://localhost:8080/login, I get the following error:
There was an unexpected error (type=Method Not Allowed, status=405).
Request method 'GET' not supported
org.springframework.web.HttpRequestMethodNotSupportedException: Request method 'GET' not supported
So, having tried all above, I'm kinda stuck now and not sure what to try next.
How do I debug such a login page to find out what's going on? Also, could anyone spot any problems with the code I've provided above so far?
Related
I just want to register a user on my web site using springboot and thymeleaf, the problem is that when user clicks on "submit", after filled the registration form to save its credentials, well this operation isn't done and I land on login page.
I'm sure registration isn't completed because when I try to login it is unsuccessful and both "credentials" and "user" tables are empty.
This is the registration form, I'm saving "user" and "credentials" two different entities :
<form th:action="#{/process_register}" method="post">
<label for="username">Email:</label>
<input type="email" name="username" id="username" required th:field="${credentials.username}"/>
<label for="password">Password:</label>
<input type="password" name="password" id="password" required th:field="${credentials.password}"/>
<label for="name">Nome:</label>
<input type="name" name="name" id="name" th:field="${user.name}" required />
<button type="submit" class="btn btn-primary">Register</button>
<a th:href="#{/login}" href="login.html" > or login</a>
</form>
This is /process_register controller :
#PostMapping("/process_register")
public String processRegister(#ModelAttribute("credentials")Credentials credentials,#ModelAttribute("user") User user) {
credentials.setUser(user);
credentialService.saveCredentials(credentials);
System.out.println("Ho invocato saveCredentials");
return "login";
}
saveCredentials() method :
#Transactional
public Credentials saveCredentials(Credentials credentials) {
credentials.setPassword(this.passwordEncoder.encode(credentials.getPassword()));
return this.credentialsRepository.save(credentials);
}
where credentialsRepository extends CrudRepository.
EDIT :
AuthConfiguration :
#Configuration
#EnableWebSecurity
public class AuthConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
DataSource datasource;
#Override
protected void configure(HttpSecurity http) throws Exception {
http
// authorization paragraph: qui definiamo chi può accedere a cosa
.authorizeRequests()
.antMatchers(HttpMethod.GET, "/",
"/index",
"/login",
"/collection/*",
"/collections",
"/NFTS",
"/signup_form",
"/register",
"/css/**",
"zzz",
"/images/**").permitAll()
.antMatchers(HttpMethod.POST, "/login", "/register").permitAll()
.antMatchers(HttpMethod.GET, "/admin/**").hasAnyAuthority(ADMIN_ROLE)
.antMatchers(HttpMethod.POST, "/admin/**").hasAnyAuthority(ADMIN_ROLE)
.anyRequest().authenticated()
.and().formLogin()
.loginPage("/login")
.defaultSuccessUrl("/default")
.and().logout()
.logoutUrl("/logout")
.logoutRequestMatcher(new AntPathRequestMatcher("/logout"))
.logoutSuccessUrl("/index")
.invalidateHttpSession(true)
.clearAuthentication(true).permitAll();
}
#Override
public void configure(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
//use the autowired datasource to access the saved credentials
.dataSource(this.datasource)
//retrieve username and role
.authoritiesByUsernameQuery("SELECT username, role FROM credentials WHERE username=?")
//retrieve username, password and a boolean flag specifying whether the user is enabled or not (always enabled in our case)
.usersByUsernameQuery("SELECT username, password, 1 as enabled FROM credentials WHERE username=?");
/*auth.inMemoryAuthentication()
.withUser("user1").password(passwordEncoder().encode("user1")).roles("USER")
.and()
.withUser("user2").password(passwordEncoder().encode("user2")).roles("USER")
.and()
.withUser("admin").password(passwordEncoder().encode("admin")).roles("ADMIN_ROLE");*/
}
#Bean
PasswordEncoder passwordEncoder() {
return new BCryptPasswordEncoder();
}
}
After looking at github repo: you need to create your controllers with regard to auth filters configured in AuthConfiguration. Only a few paths are allowed to be accessed by an unauthorized user i.a. /register and /login.
Since /process_register is not whitelisted, then the POST request doesn't reach the controller. It is caugth by the filter and redirected to login page instead.
To fix the issue you can for instance do these:
Change #PostMapping("/process_register") to #PostMapping("/register") in your controller.
Change th:action="#{/process_register}" to th:action="#{/register}" in your template.
After it's done the registration form should work.
By the way:
You should not use th:field like this. It is supposed to be used together with form backing bean (th:object) - please refer to the documentation.
I'm following Jérôme Jaglale's Spring Cookbook. While in spring security section I created a small login example to authenticate a user according to database.
login.jsp
<%# page language="java" contentType="text/html; charset=UTF-8" pageEncoding="UTF-8"%>
<body>
<c:url var="loginUrl" value="/login" />
<form action="${loginUrl}" method="post" >
<input type="hidden" name="${_csrf.parameterName}"
value="${_csrf.token}"/>
<c:if test="${param.error != null}">
<p>
Invalid username and password.
</p>
</c:if>
<p>
<label for="username">Username</label>
<input type="text" id="username" name="username"/>
</p>
<p>
<label for="password">Password</label>
<input type="password" id="password"
name="password"/>
</p>
<button type="submit">Log in</button>
</form>
<c:url var="logout" value="/logout" />
logout
</body>
LoginController.java
#Controller
public class LoginController {
#RequestMapping(value = "/login", method = RequestMethod.GET)
public void login() {
}
#RequestMapping(value = "/login", method = RequestMethod.POST)
public String processLogin() {
return "homepage";
}
#RequestMapping(value = "/logout")
public String logout() {
return "out";
}
}
SecurityConfig.java
#Configuration
#EnableWebMvcSecurity
public class SecurityConfig extends WebSecurityConfigurerAdapter {
#Autowired
public void configureUser(AuthenticationManagerBuilder auth) throws Exception {
auth.jdbcAuthentication()
.dataSource(dataSource())
.usersByUsernameQuery("select username,password,enabled from users where username = ?")
.authoritiesByUsernameQuery("select username,authority from authorities where username = ? ");
}
protected void configure(HttpSecurity http) throws Exception {
http.authorizeRequests().anyRequest().authenticated();
http.formLogin().loginPage("/login").permitAll();
AntPathRequestMatcher pathRequestMatcher = new AntPathRequestMatcher("/logout");
http.logout().logoutRequestMatcher(pathRequestMatcher);
}
#Bean
public DataSource dataSource() {
DriverManagerDataSource dataSource = new DriverManagerDataSource();
dataSource.setDriverClassName("com.mysql.jdbc.Driver");
dataSource.setUrl("jdbc:mysql://localhost:3306/customer");
dataSource.setUsername("root");
dataSource.setPassword("123");
return dataSource;
}
#Bean
public DataSourceTransactionManager transactionManager() {
DataSourceTransactionManager transactionManager = new DataSourceTransactionManager();
transactionManager.setDataSource(dataSource());
return transactionManager;
}
}
And finally a folder structure to my project.
The database login authentication part is working perfectly fine.
The problem is that the form's post request doesn't return to the LoginController. Also the logout action doesn't return to the /logout mapped method in LoginConroller.
Please help me to figure out what went wrong in this example?
Thanks.
Everything is working according with Spring Security. You don't need to implement log in or log out actions Spring Security is doing it instead of you (You just need to turn them on by http.formLogin(), http.httpBasic(), http.logout(), by default log out action is turned on).
Spring Security has filters which are making/checking some actions on request before/after hitting your controller. According to filter pattern, each of such filter may check, block, process ... your request. By http.formLogin() or http.logout() you are saying to spring security to turn on filter which are responsible to log in or log out the user - so spring security will turn on the appropriate filter and if somebody is hitting the POST /login spring's security filter will intercept such request, log in the user and redirect him to home page (or protected requested page) and such filter will not pass your request father in the chain (to your controller) the same with log out action.
Spring Security giving you the options to configuring the behaviour of the filters ex. http.formLogin().loginPage("/logpage").usernameParameter("custom-username-parameter-name"). Of course you can turn off such filters and the requests POST /login POST /logout will hit your controller, but is not a good way, because it's implementing the same logic which are already in spring security with new bugs of course. To disable filters just do http.formLogin().disable(); http.logout().disable();
I want to have more control over the logging in and out, via custom controller and login page.
My SecurityConfiguration code currently looks like this:
#Configuration
#EnableWebSecurity
#EnableGlobalMethodSecurity(prePostEnabled = true)
public class SecurityConfiguration extends WebSecurityConfigurerAdapter {
#Autowired
private SpringDataJpaUserDetailsService userDetailsService;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception {
auth
.userDetailsService(this.userDetailsService)
.passwordEncoder(Manager.PASSWORD_ENCODER);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/resources/**", "/built/**", "/main.css", "/login.css").permitAll()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login")
.loginProcessingUrl("/loginSecure")
.defaultSuccessUrl("/index", true)
.permitAll()
.usernameParameter("username").passwordParameter("password")
.and()
.csrf().disable()
.logout()
.permitAll();
}
}
My login config in my Controller:
#RequestMapping(value = "/login")
public String login() {
return "login";
}
My loginSecure mapping in my controller:
#RequestMapping(value="/loginSecure", method = RequestMethod.POST)
public String login(#RequestAttribute("username") String userName, #RequestAttribute("password") String password) {
//does the authentication
final Authentication authentication = authenticationManager.authenticate(
new UsernamePasswordAuthenticationToken(
userName,
password
)
);
SecurityContextHolder.getContext().setAuthentication(authentication);
return "index";
}
My login.html:
<form class="login100-form validate-form" action="/loginSecure" method="post">
<span class="login100-form-title p-b-26">
Welcome
</span>
<span class="login100-form-title p-b-48">
<i class="zmdi zmdi-font"></i>
</span>
<div class="wrap-input100 validate-input" data-validate = "Valid email is: a#b.c">
<input class="input100" type="text" id="username" name="username"/>
<span class="focus-input100" data-placeholder="Email/Username"></span>
</div>
<div class="wrap-input100 validate-input" data-validate="Enter password">
<span class="btn-show-pass">
<i class="zmdi zmdi-eye"></i>
</span>
<input class="input100" type="password" id="password" name="password"/>
<span class="focus-input100" data-placeholder="Password"></span>
</div>
<div class="container-login100-form-btn">
<div class="wrap-login100-form-btn">
<div class="login100-form-bgbtn"></div>
<button class="login100-form-btn">
Login
</button>
</div>
</div>
</form>
When i submit the form, in chrome dev tools it submits as loginSecure? with url encoded but it just redirects back to the login.html again.
Edit: Removed the extra form from login.html and added csfr().disable to securityConfiguration. Added loginProcessUrl to httpSecurity and this fixed it. Above code works.
If you create a custom login html and a custom authenticator then you need to add this to the HttpSecurity config -> .loginProcessingUrl("/loginSecure")
Good example here -> https://www.boraji.com/spring-security-4-custom-login-from-example
From what you wrote I guess that the problem is that after clicking "Login" your application is hit by two request.
I think that problem is that your login page has two forms one inside another. So when you click "Login" both forms sends their requests. You can verify that in Chrome Developer Tools.
As you can read here HTML doesn't allow nested forms Is it valid to have a html form inside another html form?
I have trouble in coupling Spring Security authentication with jQuery. Actually script does not even run - nothing happens when i click on
In browser's console i found message: Uncaught SyntaxError: Unexpected token < in login.js:1.
I've read some questions answered earlier and realised that this is problem concerning wrong ContentType returned, but i don't know how to fix it. I think that it may be also linked to Spring Security resource protection. I added config line posted below to turn it off, that made at least css working.
It is also weird that when i go to Sources in console, then click on login.js html code appears rather than js code.
I kindly ask for help with putting it all together :)
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").anyRequest();
}
$(document).ready(function(){
$("#login").click(function(){
var email = $("#username").val();
var password = $("#password").val();
// Checking for blank fields.
if( email =='' || password ==''){
$('input[type="text"],input[type="password"]').css("border","2px solid red");
$('input[type="text"],input[type="password"]').css("box-shadow","0 0 3px red");
alert("Please fill all fields...!!!!!!");
}else {
$.post("login",{username: email, password: password},
function(data) {
if(data=='Invalid Email.......') {
$('input[type="text"]').css({"border":"2px solid red","box-shadow":"0 0 3px red"});
$('input[type="password"]').css({"border":"2px solid #00F5FF","box-shadow":"0 0 5px #00F5FF"});
alert(data);
}else if(data=='Email or Password is wrong...!!!!'){
$('input[type="text"],input[type="password"]').css({"border":"2px solid red","box-shadow":"0 0 3px red"});
alert(data);
} else if(data=='Successfully Logged in...'){
$("form")[0].reset();
$('input[type="text"],input[type="password"]').css({"border":"2px solid #00F5FF","box-shadow":"0 0 5px #00F5FF"});
alert(data);
} else{
alert(data);
}
});
}
});
});
<script src="https://ajax.googleapis.com/ajax/libs/jquery/2.1.1/jquery.min.js"></script>
<html>
<head>
<title>Login page</title>
<meta name="_csrf" content="${_csrf.token}"/>
<meta name="_csrf_header" content="${_csrf.headerName}"/>
<link rel="stylesheet" type="text/css" href="style.css"></link>
<script src="http://ajax.googleapis.com/ajax/libs/jquery/1.11.1/jquery.min.js"></script>
<script src="login.js" type="text/javascript"></script>
</head>
<body>
<h1>Login page</h1>
<form>
<label for="username">Username</label>:
<input type="text" id="username" name="username" autofocus="autofocus"/> <br/>
<label for="password">Password</label>:
<input type="password" id="password" name="password"/> <br/>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
<input type="button" id="login" value="Log in"/>
</form>
</body>
</html>
#Controller
public class Login {
#RequestMapping(value = "/login", method = RequestMethod.GET)
public String login() {
return "login";
}
#RequestMapping(value = "/homepage", method = RequestMethod.GET)
public String homepage() {
return "homepage";
}
}
#EnableWebSecurity
#Configuration
public class SecConfig extends WebSecurityConfigurerAdapter {
#Autowired
private MyUserDetailsService userDetailsService;
#Override
protected void configure(AuthenticationManagerBuilder auth)
throws Exception {
auth.authenticationProvider(authenticationProvider());
}
#Bean
public DaoAuthenticationProvider authenticationProvider() {
DaoAuthenticationProvider authProvider
= new DaoAuthenticationProvider();
authProvider.setUserDetailsService(userDetailsService);
authProvider.setPasswordEncoder(encoder());
return authProvider;
}
#Bean
public PasswordEncoder encoder() {
return new BCryptPasswordEncoder(11);
}
#Override
protected void configure(HttpSecurity http) throws Exception {
http
.authorizeRequests()
.antMatchers("/login*").anonymous()
.anyRequest().authenticated()
.and()
.formLogin()
.loginPage("/login.html")
.defaultSuccessUrl("/homepage.html")
.failureUrl("/login.html?error=true")
.and()
.logout().logoutSuccessUrl("/login.html");
}
#Override
public void configure(WebSecurity web) throws Exception {
web.ignoring().antMatchers("/resources/**").anyRequest();
}
}
EDIT:
When i deleted invocation of anyRequest(); method in web.ignoring().antMatchers("/resources/**").anyRequest(); there is another error:
Refused to execute script from 'http://localhost:8080/login.js' because its MIME type ('text/html') is
not executable, and strict MIME type checking is enabled.
I guess that maybe the trouble is due to csrf. There is a snippet where in fact it is, but I think that in your jquery post you are not sending it.
The Unexpected token < message could be due to CSRFFilter sending html encoded http 401 or 403 response.
You could make a try disabling csrf in security configuration to check wether it works or not, and if it finally works this way, then you could make the proper changes to turn it on without breaking the login post
We must pass header and tokens in all post request,
var token = $("meta[name='_csrf']").attr("content");
var header =
$("meta[name='_csrf_header']").attr("content");
xhttp.setRequestHeader(header, token);
xhttp.send();
The Goal: I'd like to allow the user to access any page on my webapp, except for the /account page (unless they're logged in). I'd like this logging in process to be quite secure, and therefore have turned to using Spring Security in conjunction with the BCryptPasswordEncoder to handle this process. This webapp is being developed using Spring's pure-Java approach (no xml configurations whatsoever).
What Works: Going to /account correctly redirects the user to the /login page. The user can also correctly go to the / page without being redirected.
The Problem: I'm trying to configure Spring Security with my own custom UserDetailsService, but whenever I attempt to log in through the form on my JSP view, the loadUserByUsername(String username) method that I overwrote in said UserDetailsService does not appear to be called. In addition, it seems that when the user logs in with supposedly valid credentials, their authentication is not being stored in the Spring Security's current session and instead remain ROLE_ANONYMOUS.
WebSecurityConfigurerAdapter:
#EnableWebSecurity
#Configuration
public class SecurityConfig extends WebSecurityConfigurerAdapter
{
#Autowired
private UserDetailsServiceImpl userDetailsServiceImpl;
#Override
protected void configure(AuthenticationManagerBuilder auth) throws Exception
{
auth
.userDetailsService(userDetailsServiceImpl)
.passwordEncoder(bCryptPasswordEncoder());
}
#Override
public void configure(WebSecurity web) throws Exception
{
web
.ignoring()
.antMatchers("/css/**")
.antMatchers("/js/**");
}
#Override
protected void configure(HttpSecurity http) throws Exception
{
http
.authorizeRequests()
.antMatchers("/account").hasAnyRole("ROLE_USER", "ROLE_ADMIN")
.anyRequest().authenticated()
.and()
.authorizeRequests()
.antMatchers("/**").permitAll();
http
.formLogin()
.usernameParameter("j_username")
.passwordParameter("j_password")
.loginPage("/login")
.defaultSuccessUrl("/")
.failureUrl("/loginfailed")
.permitAll()
.and()
.logout()
.logoutUrl("/logout")
.logoutSuccessUrl("/")
.permitAll();
}
#Bean #Override
public AuthenticationManager authenticationManagerBean() throws Exception
{
return super.authenticationManagerBean();
}
#Bean
public BCryptPasswordEncoder bCryptPasswordEncoder()
{
return new BCryptPasswordEncoder();
}
}
UserDetailsService:
#Service("userService")
public class UserDetailsServiceImpl implements UserDetailsService
{
#Override
public UserDetails loadUserByUsername(String username) throws UsernameNotFoundException
{
username = username.toLowerCase();
try
{
Account account = testAccount(); // See below for more details
if(account == null)
{
throw new UsernameNotFoundException("Could not find user '" + username + "' in the database.");
}
List<GrantedAuthority> auths = new ArrayList<GrantedAuthority>();
for(Role r : account.getRoles())
{
auths.add(new SimpleGrantedAuthority(r.getRole()));
}
WebUser user = null;
try
{
user = new WebUser(account.getUserID(), username, account.getPassword(), true, true, true, true, auths);
}
catch(Exception e)
{
e.printStackTrace();
}
return user;
}
catch(Exception e)
{
e.printStackTrace();
throw new UsernameNotFoundException(username + " not found", e);
}
}
private Account testAccount()
{
Account acc = new Account();
acc.setUserID(1);
acc.setUsername("admin");
acc.setPassword("$2a$10$ETHSfGAR8FpNTyO52O7qKuoo2/8Uqdwcqq70/5PN4.8DXTR6Ktiha");
acc.setDescription("No description.");
acc.setInfluence(9001);
acc.setJoinDate("03-15-2014");
List<Role> roles = new ArrayList<Role>();
roles.add(new Role(Role.ADMIN)); // Role.ADMIN = "ROLE_ADMIN"
roles.add(new Role(Role.USER)); // Role.USER = "ROLE_USER"
return acc;
}
}
login.jsp:
<%# page language="java" contentType="text/html; charset=ISO-8859-1" pageEncoding="ISO-8859-1"%>
<%# taglib prefix="c" uri="http://java.sun.com/jsp/jstl/core" %>
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<base href="${pageContext.request.scheme}://${pageContext.request.serverName}:${pageContext.request.serverPort}${pageContext.request.contextPath}/" />
<title>Login</title>
<link rel="stylesheet" type="text/css" href="css/main.css" />
<script type="text/javascript" src="js/main.js"></script>
</head>
<body onload="document.loginForm.j_username.focus();">
<div id="page_wrap">
<h2>Login Page</h2>
<div id="container">
<div id="login">
<form name="loginForm" action="<c:url value='j_spring_security_check' />" method="POST">
<h5>Log in to your account</h5>
<p>
<label for="name">Username: </label>
<input type="text" name="j_username" />
</p>
<p>
<label for="name">Password: </label>
<input type="password" name="j_password" />
</p>
<p>
<input type="submit" id="submit" value="Log In" name="submit" />
</p>
<input type="hidden" name="${_csrf.parameterName}" value="${_csrf.token}"/>
</form>
<c:if test="${not empty error}">
<div class="errorblock">
Your login attempt was not successful, please try again.<br>
Caused: ${sessionScope["SPRING_SECURITY_LAST_EXCEPTION"].message}
</div>
</c:if>
</div><!--end login-->
</div><!--end container-->
</div><!--end page_wrap-->
</body>
</html>
The Input:
Username Input Field ("j_username") : admin
Password Input Field ("j_password") : password
Note: The hashed password I use in UserDetailsServiceImpl was generated using bCryptPasswordEncoder.encode("password");
The Results:
Remains on the /login page, does not redirect to / as it should on a successful login.
The Output:
12726 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - HttpSession returned null object for SPRING_SECURITY_CONTEXT
12726 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.context.HttpSessionSecurityContextRepository - No SecurityContext was available from the HttpSession: org.apache.catalina.session.StandardSessionFacade#66201d6d. A new one will be created.
...
12727 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Secure object: FilterInvocation: URL: /j_spring_security_check; Attributes: [authenticated]
12727 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.access.intercept.FilterSecurityInterceptor - Previously Authenticated: org.springframework.security.authentication.AnonymousAuthenticationToken#6faeba70: Principal: anonymousUser; Credentials: [PROTECTED]; Authenticated: true; Details: org.springframework.security.web.authentication.WebAuthenticationDetails#fffbcba8: RemoteIpAddress: 0:0:0:0:0:0:0:1; SessionId: 9626C55509CC1073AC2B5A8F65B2A585; Granted Authorities: ROLE_ANONYMOUS
12728 [http-bio-8080-exec-9] DEBUG org.springframework.security.access.vote.AffirmativeBased - Voter: org.springframework.security.web.access.expression.WebExpressionVoter#14cef147, returned: -1
12728 [http-bio-8080-exec-9] DEBUG org.springframework.security.web.access.ExceptionTranslationFilter - Access is denied (user is anonymous); redirecting to authentication entry point
org.springframework.security.access.AccessDeniedException: Access is denied
From the log it looks like you are hitting an access denied on "/j_spring_security_check". That's understandable because you didn't mark it as unprotected. I think you may just be making a false assumption about the default login processing URL (/login with #Configuration iirc). If you post to "/login" instead does it work?